b'U.S. Department of the Interior\nOffice of Inspector General\n\n\n\n\n             AUDIT REPORT\n\n\n   FOLLOWUP OF GENERAL CONTROLS\nOVER AUTOMATED INFORMATION SYSTEMS,\n     OPERATIONS SERVICE CENTER,\n      BUREAU OF INDIAN AFFAIRS\n\n               REPORT NO. 98-I-483\n                   JUNE 1998\n\x0c                                                                         A-IN-BIA-001-97\n\n             United States Department of the Interior\n                           OFFICE OF INSPECTOR GENERAL\n                                     Washington, D.C. 20240        JUN IO u98\n\n                                 AUDIT REPORT\nMemorandum\n\nTo:       Assistant Secretary for Indian Affairs\n\nFrom:     Robert J. Williams\n          Acting Inspector General\n\nSubject: Audit Report on Follow-up of General Controls Over Automated lnformation\n         Systems, Operations Service Center, Bureau of Indian Affairs (No . 9 8 -1-b 8 3 >\n\n\n                                INTRODUCTION\nThis report presents the results of our followup audit of recommendations contained in our\nApril 1997 audit report titled \xe2\x80\x9cGeneral Controls Over Automated Information Systems,\nOperations Service Center, Bureau of Indian Affairs\xe2\x80\x9d (No. 97-I-771). The objective of our\nfollowup audit was to determine whether the Bureau of Indian Affairs had satisfactorily\nimplemented the recommendations made in our prior audit report and whether any new\nrecommendations were warranted. This audit supports the annual financial statements audits\nof the Bureau and the Office of the Special Trustee for American Indians by evaluating the\nreliability of the general controls over computer-generated data that support the financial\nstatements.                .\n\nBACKGROUND\nThe Operations Service Center is organizationally under the Bureau\xe2\x80\x99s Office of Information\nResources Management and is located in Albuquerque, New Mexico. The Center operated\nan IBM and a Unisys mainframe computer and provided computer services such as\ntelecommunications; software development, operations, and maintenance; systems recovery;\nand user support and is responsible for the Bureau\xe2\x80\x99s automated information system security.\nThe IBM computer was used to run Bureau applications such as the Land Records\nInformation System and the National Irrigation Information Management System. The\nUnisys computer was used to run Office of the Special Trustee for American Indians\napplications such as the Individual Indian Monies application and Bureau applications that\nsupported the Indian trust fund accounts.\n\nIn response to our prior audit, the Bureau informed us that the IBM and Unisys mainframe\ncomputer operations and data processing functions were being transferred to a host computer\nowned by the U.S. Geological Survey, located in Reston, Virginia. The operating and data\n\x0cprocessing functions provided by the Geological Survey were to allocate space on the host\ncomputer for the Bureau to operate and run its IBM operating system, applications, and\nsecurity software; to provide for physical security over the host computer; to back up and\nrecover data and files; and to provide off-site storage of backed up data and files.\n\nSCOPE OF AUDIT\n\nThe scope of our followup audit included an evaluation of the actions taken by Bureau\nmanagement to implement the 13 recommendations made in our April 1997 audit report. In\naddition, we reviewed the Bureau\xe2\x80\x99s progress in moving the Center\xe2\x80\x99s mainframe data\nprocessing functions to the Geological Survey\xe2\x80\x99s host computer in Reston because of the\nimpact that moving the data processing functions will have on Bureau management\xe2\x80\x99s ability\nto implement the recommendations.\n\nThis review was conducted in accordance with the \xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d issued\nby the Comptroller General of the United States. Accordingly, we included such tests of\nrecords and other auditing procedures that were considered necessary under the\ncircumstances. We reviewed internal controls only to the extent that they related to\ncorrective actions taken by Bureau management on the recommendations contained in the\nApril 1997 audit report.\n\n                                RESULTS OF AUDIT\nOur April 1997 audit report concluded that the general controls over the Bureau of Indian\nAffairs automated information systems at the Center were not effective. Specifically, an\neffective security program had not been implemented; controls over access, software\ndevelopment and changes, segregation of duties, and system software were inadequate; and\na service continuity plan had not been developed and implemented. The general controls\nwere not effective because Bureau management had not developed a formal, up-to-date, and\ncomprehensive system security program or established formal policies, standards, and\nprocedures for computer operations. Additionally, the Bureau\xe2\x80\x99s Information Technology (IT)\nSecurity Manager* function was not at the appropriate organizational level, and adequate\nfunding and personnel were not provided to fully support the Center\xe2\x80\x99s mission. The audit\nconcluded that the deficient general controls significantly increased the risk of unauthorized\naccess; modifications to and disclosure of sensitive data maintained in the Center\xe2\x80\x99s\nmainframe computers; theft or destruction of hardware, software, and sensitive data; and\nloss of critical systems and functions in the event of a disaster. In addition, the deficient\ncontrols decreased the reliability of the data maintained on the Center\xe2\x80\x99s computers. Our\nApril 1997 audit report contained 13 recommendations for improving the general controls\nover the Bureau\xe2\x80\x99s automated information systems at the Center.\n\n\n\n\xe2\x80\x98This position was formerly known as the Bureau\xe2\x80\x99s Automated Information Systems Security Officer. The\nDepartmental Manual (375 DM 19, \xe2\x80\x9cInformation Technology Security\xe2\x80\x9d) changed the title to \xe2\x80\x9cBureau IT\nSecurity Manager.\xe2\x80\x9d\n\n                                                 2\n\x0cOf the 13 recommendations made, we found that the Bureau had partially implemented 2\nrecommendations and had not implemented 10 recommendations and that 1 recommendation\nwas no longer applicable because the Bureau changed its plans for the Unisys computer (see\nAppendix 1). Therefore, we concluded that the general control weaknesses and risks\nidentified by our prior audit for fiscal year 1996 continued to exist during fiscal year 1997.\nWe have made eight new recommendations to address the weaknesses we found during the\nfollowup audit.\n\nIn its response to the April 1997 audit report, the Bureau also stated that many of the\nweaknesses identified would be corrected with the movement of the Center\xe2\x80\x99s data processing\nfunctions to the Geological Survey\xe2\x80\x99s host computer. However, the Center will continue, at\nleast for fiscal year 1998, to control, operate, and maintain its computer operating system and\nsecurity software and to schedule production runs manually rather than use the Geological\nSurvey\xe2\x80\x99s host computer operating, security, and automated job scheduling systems.\nTherefore, the control weaknesses increase the risk of loss of data integrity through fiscal\nyear 1998. Accordingly, we believe that Bureau management should establish as a high\npriority the use of the Geological Survey\xe2\x80\x99s host computer systems to reduce the Bureau\xe2\x80\x99s risk\nof loss of data integrity. Additionally, management within the Bureau and the Office of the\nSpecial Trustee for American Indians did not move their applications that resided on the\nCenter\xe2\x80\x99s Unisys mainframe to the Center\xe2\x80\x99s IBM mai&ame, which would have then been\nmoved to the Geological Survey\xe2\x80\x99s host computer, but instead planned to move their\napplications to the Unisys server. Thus the corrective actions outlined in the Bureau\xe2\x80\x99s\nresponse to the prior report that relied on the movement of all data processing functions from\nthe Center to the Geological Survey were not completed.\n\nIn its response to the April 1997 audit report, the Bureau stated, \xe2\x80\x9cIn conjunction with the\ntransfer of mainframe data processing from the Bureau, some reorganization or redescription\nof positions within the Office of Information Resources Management will be necessary.\xe2\x80\x9d\nThe Bureau further stated that \xe2\x80\x9ccompletion of the reorganization is October 1,1997 with an\neffective date of December 1,1997.\xe2\x80\x9d We found that Bureau management had not formally\nreorganized the Office of Information Resources Management but that Center management\nhad informally reorganized the Center to prepare for providing services as a network\nmanagement center. (A network management center provides enhanced customer support\nthat uses advanced technologies for network connectivity and problem solving and\ndeveloping and maintaining client/servers.*) Although the Center was being reorganized as\na network management center, we did not find an approved strategic plan for such a center.\nAs a result, corrective actions that were dependent on the reorganization of the Office of\nInformation Resources Management were not completed.\n\n\n\n\n2A \xe2\x80\x9cclient/server\xe2\x80\x9d application functions on a client/server processing environment, which is a computerized\narchitecture in which one or more \xe2\x80\x9ccomputers called servers manage shared resources and provide access to\nthose shared resources as a service to their clients,\xe2\x80\x9d which are personal computers. (David Vaskevitch,\nClient/Server Strategies. a Survival Guide for Cornorate Reengineering, IDG Books Worldwide, Inc., San\nMateo, California, 1993, page 96.)\n\n                                                    3\n\x0cRecommendation A. 1.          The information technologv securitv function be elevated\norganizationally to at least renort directly to the Director, Office of Information Resources\nManagement: is formally nrovided with authoritv to imnlement and enforce a Bureauwide\nsvstem securitv nrogram: and is provided staff to perform the reauired duties, such as\nproviding commuter securitv awareness training; and nerforming neriodic risk assessments.\n\nRecommendation A.2. A svstem securitv nrogram is develoned and documented which\nincludes the information reauired bv the Commuter Securitv Act of 1987 and Office of\nManagement and Budget Circular A- 130, Anpendix III. and that Policies and nrocedures are\nimplemented to keep the system securitv nrogram current.\n\nRegarding Recommendation A. 1, our prior audit found that because the Bureau\xe2\x80\x99s IT Security\nManager function was within the Center, the security function did not have adequate\nindependence or authority to implement and enforce a Bureauwide system security program.\nThe security staff consisted only of the IT Security Manager and another staffperson. Most\nof the security staff\xe2\x80\x99s time was spent administering security at the Center and administering\nuser access to the computer systems. Although users were provided written information\nabout system security issues when access to computer systems and applications was\napproved, the Center did not have an employee computer security awareness training plan.\nFurther, the security staff had not provided periodic computer security training to Bureau area\nand agency offices and other organizations such as schools. Additionally, a 1996 contractor-\nperformed risk assessment recommended that the system security function be moved from\nthe Center and elevated organizationally, but the recommendation had not been implemented\nat the time of our current audit.\n\nRegarding Recommendation A.2, our prior audit found that the security implementation plan\nfor the Bureau\xe2\x80\x99s automated information systems for fiscal year 1996 was not documented.\nAlthough a security implementation plan was prepared by November 1996 (for fiscal year\n1997), the plan did not meet the detailed requirements of Office of Management and Budget\nCircular A- 130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources.\xe2\x80\x9d The\nplan addressed the security needs of the Bureau, but the plan did not address the security\nneeds of the Office of the Special Trustee or include specific steps to meet the security needs\nof the Bureau and the Office of the Special Trustee, thus ensuring that an adequate security\nprogram was in place for the automated systems of the Bureau and the Office of the Special\nTrustee. The Bureau did not have an adequate security program because the Bureau reported\nthat \xe2\x80\x9cvirtually no security planning\xe2\x80\x9d had occurred because of the downsizing of the Office\nof Information Resources Management. We also found that Bureau management did not\nassess the effectiveness of the Bureau\xe2\x80\x99s system security program as part of its annual review\nunder the Federal Managers\xe2\x80\x99 Financial Integrity Act.\n\nIn its response to the prior audit report, the Bureau stated, as part of its reorganization and\nredescription of the Office of Information Resources Management, that \xe2\x80\x9cthe position of\nSecurity Officer will be elevated to report directly to the Director of OIRM [Office of\nInformation Resources Management] .\xe2\x80\x9d In addition, the Bureau concurred \xe2\x80\x9cwith respect to\nthose functions which will remain the responsibility of the Bureau subsequent to the transfer\nof mainframe data processing to the U. S.G. S. [Geological Survey]\xe2\x80\x9d and that the development\n\n                                               4\n\x0cof the policies and procedures would be the responsibility of the Bureau IT Security\nManager, who would complete them by October 1, 1997. Bureau management agreed to\nprovide the security staff with the authority to implement and enforce a Bureauwide system\nsecurity program but did not agree to provide additional staff to meet the responsibilities.\nThe Bureau stated that \xe2\x80\x9c[t]he recommendation would be appropriate if the Bureau were to\ncontinue to operate mainframe data processing,\xe2\x80\x9d but that the data processing \xe2\x80\x9cfunction will\nbe transferred to U.S.G.S. [Geological Survey], [and]. . . the Bureau Security Officer and his\nstaff will be able to manage the reduced security requirements of the Albuquerque OIRM\n[Office of Information Resources Management] site.\xe2\x80\x9d\n\nOur followup review found that the IT Security Manager continued to report to the Acting\nChief of the Center and that the IT Security Manager had not (1) developed new or revised\npolicies and procedures for a Bureauwide system security program, (2) implemented and\nenforced a security program, and (3) evaluated the effectiveness of the security program. The\nDepartmental Manual (375 DM 19) states:\n\n         Bureau IT Security Manager is responsible for: managing the bureau IT\n         security program, coordinating all bureau activities designed to protect IT\n         resources, coordinating bureau IT security training programs, and reporting\n         on the effectiveness of these activities to the bureau and Departmental\n         management.\n\nAdditionally, Office of Management and Budget Circular A- 130, Appendix III, requires that\ncontrols over general support and major application systems be reviewed every 3 years or\nmore frequently if significant changes are made to the systems or risks are determined to be\nhigh.3 Further, the IT Security Manager position description included these responsibilities.\nHowever, Bureau management had not held the IT Security Manager accountable for\nperforming these duties.\n\nThe Center was performing data processing functions and serving as a general support\nsystem, since it will continue to control the operating system, security software, and\napplication processing for the IBM applications; operate and run a Unisys computer and\napplications; and operate as a network management center. We believe that the need for\nBureauwide system security planning, implementation, and training and for system security\noversight will not diminish but will increase and be more complex. Without a system\nsecurity program, Bureau management has little assurance that its existing system security\nis operating effectively. Additionally, the Bureau will not be in compliance with Office of\nManagement and Budget Circular A-l 30, Appendix III, because an adequate system security\n\n\n\xe2\x80\x98Office of Management and Budget Circular A- 130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information\nResources,\xe2\x80\x9d defines a general support system as \xe2\x80\x9can interconnected set of information resources under the same\ndirect management control which shares common functionality.\xe2\x80\x9d The Circular further states that a general\nsupport system \xe2\x80\x9cnormally includes hardware, software, information, data, applications, communications and\npeople\xe2\x80\x9d and that examples of a system are a local area network, . . . an agency-wide backbone, a\ncommunications network, [and] a departmental data processing center including its operating system and\nutilities.\xe2\x80\x9d\n\n                                                      5\n\x0cprogram was not in place and the system security program had not been evaluated for its\neffectiveness during the past 3 years. We consider these recommendations not implemented\nbecause Bureau management did not (1) elevate the IT Security Manager function to report\ndirectly to the Chief, Office of Information Resources Management; (2) hold the IT Security\nManager accountable for performing position description responsibilities; and (3) ensure that\nthe Bureau had an effective system security program. Further, we believe that once a security\nprogram is implemented, Bureau management should ensure that an evaluation of the\neffectiveness of the program is performed periodically and that the Bureau includes any\nresultant corrective actions in future Bureau security plans.\n\nRecommendation A.3. The Bureau\xe2\x80\x99s securitv personnel nerform risk assessments of the\nBureau\xe2\x80\x99s automated information systems environment and. as appropriate, Provide assurance\nthat the necessary changes are implemented to manage the risks identified.\n\nRecommendation C. 1. The Bureau develon and implement policies to classifv the Bureau\xe2\x80\x99s\ncomputer resources in accordance with the results of Periodic risk assessments and guidance\ncontained in Office of Management and Budget Circular A- 130, Annendix III.\n\nRegarding Recommendation A.3, our prior audit found that risk assessments had not been\nperformed periodically or that they had not been performed when systems, facilities, or other\nconditions changed. Specifically, since 1990, only two risk assessments had been performed.\nThese assessments were of the Center\xe2\x80\x99s previous mainframe configuration in 1990 and the\nlocal area networks of the Albuquerque Central Offices in 1996. While we determined that\nthese assessments were adequate, none of the recommendations from the risk assessments\nhad been implemented. Regarding Recommendation C. 1, we found that Bureau management\nhad not classified its computer resources, such as data files, application programs, and\ncomputer-related facilities and equipment. Resource classification allows management to\n(1) determine the level of security that should be provided to protect against unauthorized\nmodification, disclosure, loss, or impairment and (2) determine whether security controls\nshould be implemented or document Bureau management\xe2\x80\x99s acceptance of the risk.\n\nIn its response to the prior audit report, the Bureau stated that \xe2\x80\x9cthe FY [fiscal year] 1996\nreduction-in-force eliminated OIRM [Office of Information Resources Management] staffs\ncapability to perform risk assessments [and resource classifications].\xe2\x80\x9d The Bureau further\nstated that \xe2\x80\x9cfrom the resources freed as a result of the transfer of data processing and as part\nof the reorganization/redescription . . . , positions will be established to perform the\nnecessary risk assessments [and resource classifications].\xe2\x80\x9d The Bureau also stated that the\nrisk assessments and classifications \xe2\x80\x9cwill commence in July 1998\xe2\x80\x9d and \xe2\x80\x9cwill be completed\nwithin 18 months of that date.\xe2\x80\x9d\n\nWe agreed with the Bureau\xe2\x80\x99s statement that commencement of risk assessments and resource\nclassifications could be performed by resources that will become available as a result of\ntransferring data processing functions to the Geological Survey. However, since the\nBureau\xe2\x80\x99s response to the prior audit report, the then Chief, Office of Information Resources\nManagement, retired, and the position had not been filled by the end of fiscal year 1997.\nConsequently, Bureau management had not developed and implemented its\n\n                                               6\n\x0creorganization/redescription for the Office of Information Resources Management. Further,\nwe found that Center personnel had not become available to perform the assessments and\nclassifications because the Center had not transferred all of its data processing\nresponsibilities to the Geological Survey and was continuing to function as a general support\nsystem. In addition, Bureau management had not approved an information technology\nstrategic plan for the Center to provide direction following the consolidation with the\nGeological Survey\xe2\x80\x99s host computer. Further, all of the owners of the Bureau\xe2\x80\x99s automated\ninformation system resources could not be identified. Therefore, we believe that the risk\nassessment and resource classification reviews cannot be performed in the time fiame\nidentified in the Bureau\xe2\x80\x99s response, Accordingly, we consider these recommendations not\nimplemented. We believe that Bureau management should redetermine when the Bureau can\nbegin performing its risk assessments and resource classifications.\n\nRecommendation B. 1.        Ensure that personnel securitv Policies and Procedures are\ndeveloped, imnlemented, and enforced, including those for obtaining appropriate securitv\nclearances for personnel in sensitive or critical ADP [automated data processing1 positions\nand for informing the securitv staff. in writing, whenever emnlovees who are system users\nterminate their emplovment or are transferred.\n\nRecommendation E. 1. Ensure that Policies are developed and implemented which match\npersonnel files with system users periodicallv. that user IDS are deleted from the system for\nusers whose emplovment has been terminated. and that verification and anproval are\nobtained from users\xe2\x80\x99 supervisors and application owners or manapers that the levels of access\nare anpronriate.\n\nRegarding Recommendation B. 1, our prior audit found that personnel in sensitive or critical\nADP positions, such as system and application programmers, including application\nprogrammers not assigned to the Center, did not have documented background investigations\nfor security clearances or did not have security clearances at a level commensurate with their\npositions. In addition, we found that, although the IBM computer had been set to\nautomatically revoke a user identification (ID) after 180 days of inactivity, supervisors did\nnot notify the application owner or manager or the Center\xe2\x80\x99s security staff to revoke and\ndelete a user ID when an employee\xe2\x80\x99s employment was terminated or when an employee was\ntransferred. Regarding Recommendation E. 1, we found that IT security staffand application\nowners did not periodically review user access authorizations to ensure that the levels of\naccess to computer resources were appropriate.\n\nRegarding Recommendation B. 1, the Bureau stated in its response to the prior audit report\nthat \xe2\x80\x9cThe necessary information will be submitted to the Office of Personnel Management\nto conduct/update the clearances of the Operations Service Center staff by June 1, 1997.\xe2\x80\x9d\nIn addition, the Bureau stated that actions will be taken to provide a report monthly to the\nOffice of Information Resources Management which identifies employees who transferred\nwithin the Bureau and employees whose employment was terminated so that system access\ncan be reviewed and modified or revoked.\n\n\n\n                                              7\n\x0cRegarding Recommendation E. 1, the Bureau stated that the action taken to implement this\nrecommendation was the transfer of the mainframe data processing to the Geological\nSurvey\xe2\x80\x99s host computer and that December 1, 1997, was the target date for the completion\nof the transfer. In addition, we accepted the action to be taken by the Bureau for\nRecommendation B. 1, to provide a monthly report to the Office of Information Resources\nManagement, as appropriate to partially implement Recommendation E. 1.\n\nOur followup audit found that policies and procedures were not developed, implemented, and\nenforced for ensuring that (1) appropriate security clearances for personnel in sensitive or\ncritical ADP positions were obtained, (2) security staff was informed whenever employees\nwho were system users terminated their employment or were transferred, (3) security\nclearances had not been updated for all Bureau employees who filled sensitive or critical\nADP positions except for 14 of the 55 Center employees who filled such positions, and (4)\nusers\xe2\x80\x99 levels of access were reviewed and validated periodically. The \xe2\x80\x9cGenerally Accepted\nPrinciples and Practices for Securing Information Technology Systems,\xe2\x80\x9d issued by the\nNational Institute of Standards and Technology, recommends that reviews and validation of\nthe appropriateness of users\xe2\x80\x99 levels of access be performed periodically and, if necessary, the\nusers\xe2\x80\x99 access be modified or revoked. Although reports were to be produced monthly that\nwere to identify employees who had transferred within the Bureau or employees who had\nterminated their employment, Bureau management had not ensured that the reports were\nprovided to the Bureau\xe2\x80\x99s IT security management staff. Additionally, we found that the\nagreement between the Bureau and the Geological Survey did not include provisions for the\nGeological Survey to ensure that users\xe2\x80\x99 levels of access were properly authorized and were\nappropriate for the users to perform their day-to-day duties or that access would be validated\nperiodically for the Bureau\xe2\x80\x99s IBM applications.\n\nAccordingly, we consider Recommendation B. 1 partially implemented and Recommendation\nE. 1 not implemented. Additionally, Bureau management should ensure that personnel who\nare not assigned to the Center and who are in sensitive or critical ADP positions have\nsecurity clearances commensurate to the positions held. Further, if Bureau management does\nnot require Bureau personnel to review and validate the appropriateness of users\xe2\x80\x99 levels of\naccess to the Bureau\xe2\x80\x99s IBM applications, the agreement between the Bureau and the\nGeological Survey should be modified to include the requirement that the Geological Survey\nperform periodic reviews and validate the appropriateness of users\xe2\x80\x99 levels of access to the\nBureau\xe2\x80\x99s IBM applications.\n\nRecommendation D.1. Sufficient staff are provided to adequately monitor all visitor\nactivities.\n\nRecommendation D.2. Funding is provided for adeouate maintenance of the commuter\noperations room. such as nroviding daily housekeeping services, or that fire-producing\nequipment and sunnlies are removed from the computer room.\n\nOur prior audit found that the Center was located within a Federal building that provides\nunauthorized individuals access to the Center. To ensure that the Center and its resources\nwere safeguarded, physical access to the Center was achieved by electronic key cards and\n\n                                              8\n\x0cmonitored by video cameras. However, custodial (contractor) personnel and building\nmanagers were provided key cards, which afforded an opportunity for uncontrolled access\nto the Center. Additionally, we found that general housekeeping and maintenance of the\ncomputer operations room were performed only weekly. This weekly schedule was not\nadequate because of the failure to remove potential fire hazards, such as combustible supplies\nand dust produced by paper used in the printer, that were housed in the computer operations\nroom.\n\nIn its response to the prior audit report, the Bureau stated, \xe2\x80\x9cThe action taken to implement\nthese recommendations is the conversion of the mainframe data processing to the U.S.G.S.\n[Geological Survey] host computer.\xe2\x80\x9d\n\nOur followup audit found that, while the Bureau may no longer house the IBM and Unisys\nmainframe computers in the computer operations room, a clean and well-maintained\ncomputer operations room was still needed. The computer operations room housed server\ncomputers and telecommunications equipment for the Bureau\xe2\x80\x99s wide area network and the\nAlbuquerque Central Office\xe2\x80\x99s local area networks. We found that custodial staff and\nbuilding managers continued to have access to this sensitive area and that the room was\ncleaned only weekly. In addition, the printers and other combustible supplies remained in\nthe room. Further, physical hazards, such as file cabinets placed in front of printers, existed\nfor personnel who operated and maintained the computer equipment and peripherals.\nTherefore, we consider these recommendations not implemented.\n\nRecommendation F. 1. Ensure that a higher priori& is liven to moving the applications that\nreside on the Unisys mainframe to the IBM mainframe.\n\nOur prior audit found that passwords were not changed periodically and inactive user IDS\nwere not automatically revoked on the Unisys computer. Additionally, greater reliance had\nto be placed on the user ID and password controls to protect the applications, files, and data\nbecause the applications residing on the Unisys computer were developed without access\ncontrols and could not be modified to install the access controls. Therefore, these controls\nwere inadequate. However, the Bureau and the Office of the Special Trustee were planning\nto move the applications residing on the Unisys mainframe to the IBM mainframe.\n\nIn its response to the prior audit, the Bureau stated that it would transfer the data processing\nfunctions to the Geological Survey\xe2\x80\x99s host computer.\n\nOur followup audit found that the applications which resided on the Unisys mainframe were\nnot converted to the Bureau\xe2\x80\x99s IBM mainframe; therefore, the Unisys applications could not\nbe moved to the Geological Survey\xe2\x80\x99s host computer. The Unisys applications could not be\nconverted because of the lack of documented programs and because of the antiquated\nprogramming language used for the Unisys applications. The contractor estimated the cost\nto convert the applications to be in excess of $1 million. However, as an interim solution,\nthe Department\xe2\x80\x99s Office of Information Resources Management approved the Bureau\xe2\x80\x99s\nacquisition of a Unisys server computer. The applications would be moved from the Unisys\nmainframe to the Unisys server. The Department\xe2\x80\x99s Office of Information Resources\n\n                                               9\n\x0cManagement stated that the Bureau should continue to convert these applications to operate\non an IBM mainframe computer. In our opinion, because the Office of the Special Trustee\nwas redeveloping its applications that reside on the Unisys server computer, the Unisys\napplications should not be converted to the Geological Survey\xe2\x80\x99s host computer, as originally\nrecommended, but be maintained on the Unisys server until the Office of the Special\nTrustee\xe2\x80\x99s redevelopment project is completed. This action could save the Bureau at least\n$1 million in conversion costs. We believe that the Bureau should not implement the\noriginal recommendation because of the costs involved in converting the Unisys applications.\nAccordingly, we consider the recommendation resolved because it is no longer applicable.\n\nRecommendation G. 1. Ensure that Policies and procedures are develoned and implemented\nwhich clearly identifv the individuals responsible and accountable for application\ndevelonment and changes.\n\nOur prior audit found that the software development and change controls were inadequate\nto ensure that the proper version of an application was used in production. Based on our test\nof the National Irrigation Information Management System, we found that the application\nprogrammers not only programmed the application but also tested, authorized, and approved\nthe movement of the modified programs from test or development into production. In\naddition, the lead programmer was not notified of software modifications. Further, one\nmember of the Center\xe2\x80\x99s systems staff, who was a programmer, could move application\nsoftware changes from test or development into production without the approval of the lead\nprogrammer.\n\nIn its response to the prior report, the Bureau stated that the Office of Information Resources\nManagement was \xe2\x80\x9cin the process of expanding and documenting improved procedures in this\narea\xe2\x80\x9d and that the target date for completion was July 1, 1997.\n\nOur followup audit found that new or revised policies and procedures related to application\ndevelopment and changes were not developed and that individuals had not been assigned\nresponsibilities for application development or changes. Because the policies and procedures\nhad not been developed and responsibility had not been assigned, controls for application\nsoftware development and change had not improved. For the National Irrigation Information\nManagement System, the application programmers continued to test applications and to\napprove the movement of the modified programs into production without the knowledge of\nthe lead programmer. For the Loan Management and Accounting System, the application\ndeveloper did not fully document change requests or modifications to the System. In\naddition, the Loan Management and Accounting System application developer had full\naccess to user passwords and the loan databases. Further, Center personnel and contractors\nwere developing client/server applications without any documented Bureau management\nsupport. Accordingly, we consider this recommendation not implemented.\n\nRecommendation H. 1. Ensure that staffing at the Center is evaluated and adiusted so that\nduties for critical system SUDDOI-~ functions are adeauatelv segregated and fully utilized.\n\n\n\n                                              10\n\x0cRecommendation I. 1. Ensure that access and activities of the Center\xe2\x80\x99s system nrogrammers\nare controlled and monitored bv security staff and that Resource Access Control Facilitv\n[RACF) controls are established to Protect system resources.4\n\nRegarding Recommendation H.1, our prior audit found that the duties for the support\nfunctions of system design, application programming, systems programming, quality\nassurance/testing, library management, change management, data control, data security, and\ndata administration were not adequately segregated between different individuals.\n\nRegarding Recommendation I. 1, we found that controls established over system software\nwere not effective in detecting and deterring inappropriate use. Specifically, periodic\nreviews of the System Maintenance Facility logs and RACF access reports were not\nperformed by the security staff to monitor system activities effectively. Additionally, the\nsecurity staff produced reports that identified users and the computer resources accessed;\nhowever, the staff had not produced or used the primary \xe2\x80\x9cauditing\xe2\x80\x9d or monitoring reports that\ncould be used to provide oversight of system activities. One system programmer had \xe2\x80\x9calter\xe2\x80\x9d\naccess to system software, the System Maintenance Facility logs, and RACF logs, which\nprovided an opportunity for the programmer to alter his activities, as well as those of other\nusers. Thus, the audit trails of system activities could be impaired or destroyed. Further, the\nRACF could be used to establish controls and monitor access to the computer resources, but\nit had not been set up to effectively control access to the system resources. We found that\none of the \xe2\x80\x9cstart procedures\xe2\x80\x9d could bypass all verification processing, including the security\nclassification checks, and therefore affect the overall security of the system. Further, RACF\nwas not used to protect critical system resources, including the system parameter library,\nlinklist libraries, master catalog, and the primary and backup files. Finally, no logging or\naudit trails were available.\n\nIn its response to the prior audit report, the Bureau stated that it will implement these\nrecommendations through the \xe2\x80\x9cconversion of the mainframe data processing\xe2\x80\x9d to the\nGeological Survey\xe2\x80\x99s host computer.\n\nOur followup audit found that Center management had not segregated system functions and\nhad not changed the use of the RACF to be an effective critical resource control.\nSpecifically, functions such as systems design, application programming, systems\nprogramming, quality assurance/testing, library management, change management, data\ncontrol, data security, and data administration had not been segregated between different\nindividuals. Further, one system programmer continued to have \xe2\x80\x9calter\xe2\x80\x9d access to system\nsoftware, the System Maintenance Facility logs, and RACF logs. Because the Center will\ncontinue to maintain control over the IBM operating system and security software at the\nGeological Survey\xe2\x80\x99s host computer through at least fiscal year 1998 and will continue to\n\n\n4Resource Access Control Facility (RACF) is an IBM-licensed software security product that protects\ninformation by controlling access to the information. RACF provides security by identifying and verifying\nusers to the system, authorizing users\xe2\x80\x99 access to protected resources, and recording and reporting access\nattempts. (Resource Access Control Facilitv General Users Guide, Version 1. Release 9.2,9th edition, IBM\nCorp., 1993, page l-l.)\n\n                                                   11\n\x0coperate Unisys applications, the need for segregation of duties between different individuals\nand the use of RACF controls to protect system resources still exists. Accordingly, we\nconsider these recommendations not implemented.\n\nRecommendation J.1. Ensure that a contingencv ~1a.n is developed and tested and that\nfunding is provided for acquiring a secure off-site storage facilitv.\n\nOur prior audit found that the Center did not have an effective means to recover or to resume\ncomputer operations in the event of a system failure or a disaster. The Center was\ndeveloping a service continuity plan for fiscal year 1997. The off-site storage facility was\nnot located at least 1 mile from the Center, and the facility did not adequately safeguard\ninformation and data stored from unauthorized access and environmental hazards such as\nheat and humidity. Thus, the data stored were at risk of loss or damage.\n\nIn its response to the prior audit report, the Bureau stated, \xe2\x80\x9cTo ensure service continuity in\ncase of system failure or a disaster, the Office of Information Resources Management\n(OIRM) has a contract for back-up of it\xe2\x80\x99s a-17 [unisys] computer.\xe2\x80\x9d The Bureau further\nstated, \xe2\x80\x9cOIRM has determined that a similar contract for its IBM 3090 computer is not\nwarranted because of the pending transfer to the U.S. Geological Survey (USGS) of the data\nprocessing operation.\xe2\x80\x9d The Geological Survey had indicated that it had a contract which\nwould cover the Bureau\xe2\x80\x99s systems during the transfer to the host computer. The Bureau did\nnot specifically respond to the recommendation on acquiring a secure off-site storage facility.\n\nOur followup audit found that the Bureau did have a contract and, in a test situation, had\nsuccessfully recovered its Unisys applications. However, the Bureau had not acquired an\nenvironmentally sound and secure off-site storage location. As such, the backup tapes were\nstored on-site in the Center\xe2\x80\x99s computer room. Accordingly, we consider the recommendation\npartially implemented.\n\nRecommendations\n\nWe recommend that the Assistant Secretary for Indian Affairs ensure that the Bureau of\nIndian Affairs:\n\n    1. Establishes as a high priority the use of the Geological Survey\xe2\x80\x99s host computer\xe2\x80\x99s\noperating, security, and automated job scheduling systems.\n\n    2. Develops and approves an Office of Information Resources Management strategic\nplan which provides direction to and defines the functions of the Operations Service Center.\n\n    3. Holds the IT Security Manager accountable for performing the position\nresponsibilities.\n\n   4. Performs periodically an evaluation of the system security program\xe2\x80\x99s effectiveness\nand includes any resultant corrective actions in future Bureau security plans.\n\n\n                                              12\n\x0c    5. Redetermines, based on the Office of tiormation Resources Management\xe2\x80\x99s strategic\nplan, when the Bureau can begin performing risk assessments and classifying its resources.\nAlso, personnel who will be responsible for the risk assessments and resource classifications\nshould be identified.\n\n    6. Obtains security clearances for ADP personnel who are not assigned to the Center\nthat are commensurate with their positions.\n\n    7. Requires Bureau staff to review and validate the appropriateness of users\xe2\x80\x99 levels of\naccess to the Bureau\xe2\x80\x99s IBM applications. If the users\xe2\x80\x99 levels of access are not reviewed and\nvalidated by Bureau personnel, the Bureau should modify its agreement with the Geological\nSurvey to include the requirements that access reviews and verifications be performed for\nthe IBM applications by the Geological Survey.\n\n    8. Removes all safety hazards from the computer operations room.\n\nBureau of Indian Affairs Response and Office of Inspector General Reply\n\nIn the May 19,1998, response (Appendix 2) from the Assistant Secretary for Indian Affairs\nto this audit report, the Bureau concurred with Recommendations 1,2,3,4,5,6, and 7 and\nconcurred \xe2\x80\x9cin part\xe2\x80\x9d with Recommendation 8. Based on the response, we consider\nRecommendations 1 and 8 resolved and implemented and Recommendations 2,3,4,5, and\n6 resolved but not implemented. Accordingly, the unimplemented recommendations will\nbe referred to the Assistant Secretary for Policy, Management and Budget for tracking of\nimplementation. Also based on the response, the Bureau is requested to provide additional\ninformation for Recommendation 7 (see Appendix 3).\n\nRegarding our April 1997 report, the Bureau in its May 1998 response, concurred with\nRecommendations A. 1, A.2, A.3, B. 1, C. 1, E. 1, G. 1, H. 1, I. 1, and J. 1 and concurred in part\nwith Recommendations D. 1 and D.2. Based on the response, we consider Recommendations\nA. 1, D. 1, I. 1, and J. 1 resolved and implemented and Recommendations A.2, A.3, B. 1, C. 1,\nD. 1, E. 1, G. 1, and H. 1 resolved but not implemented (see Appendix 4). Accordingly, this\ninformation on the prior recommendations will be forwarded to the Assistant Secretary for\nPolicy, Management and Budget.\n\nIn accordance with the Departmental Manual (360 DM 5.3), we are requesting a written\nresponse to this report by July 10, 1998. The response should provide the information\nrequested in Appendix 3.\n\nThe legislation, as amended, creating the Office of Inspector General requires semiannual\nreporting to the Congress on all audit reports issued, actions taken to implement audit\nrecommendations, and identification of each significant recommendation on which corrective\naction has not been taken.\n\nWe appreciate the assistance of Bureau personnel in the conduct of our audit.\n\n\n                                               13\n\x0c                                                                                     APPENDIX 1\n                                                                                       Page 1 of 4\n\n\n    SUMMARY OF RECOMMENDATIONS AND CORRECTIVE\n              ACTIONS FOR AUDIT REPORT\n   \xe2\x80\x9cGENERAL CONTROLS OVER AUTOMATED INFORMATION\n         SYSTEMS, OPERATIONS SERVICE CENTER,\n              BUREAU OF INDIAN AFFAIRS\xe2\x80\x9d\n\n                                                              Status of Recommendations and\n             Recommendations                                         Corrective Actions\n\n\nA.1. The information technology security                Not implemented. Bureau management had\nfunction is elevated organizationally to at             not reorganized the Office of Information\nleast report directly to the Director, Office of        Resources Management to elevate the\nInformation Resources Management; is                    information technology security function to\nformally provided with authority to                     report directly to the Director, Office of\nimplement and enforce a Bureauwide                      Information Resources Management.\nsystem security program; and is provided                Bureau management also had not ensured\nstaff to perform the required duties, such as           that the information technology security\nproviding computer security awareness                   function was provided with authority to\ntraining and performing periodic risk                   implement and enforce a Bureauwide\nassessments.                                            system security program. In its response,\n                                                        Bureau officials stated that the staff would\n                                                        not be increased because of the transfer of\n                                                        data processing functions to the Geological\n                                                        Survey, which has not occurred.\n\nA.2. A system security program is                       Not implemented. A revised system security\ndeveloped and documented which includes                 program and new or revised policies and\nthe information required by the Computer                procedures had not been developed, and an\nSecurity Act of 1987 and Office of                      evaluation of the security program\xe2\x80\x99s\nManagement and Budget Circular A-l 30,                  effectiveness had not been performed.\nAppendix III, and that policies and\nprocedures are implemented to keep the\nsystem security program current.\n\nA.3. The Bureau\xe2\x80\x99s security personnel                    Not implemented. Corrective actions to\nperform risk assessments of the Bureau\xe2\x80\x99s                implement the recommendation, such as the\nautomated information systems environment               reorganization of the Office of Information\nand, as appropriate, provide assurance that             Resources Management and the transfer of\nthe necessary changes are implemented to                data processing functions to the Geological\nmanage the risks identified.                            Survey, had not occurred.\n\n\n\n\n                                                   14\n\x0c                                                                                    APPENDIX 1\n                                                                                      Page 2 of 4\n\n\n\n\nB. 1 Ensure that personnel security policies          Partially implemented. No new or revised\nand procedures are developed, implemented,            personnel security policies and procedures\nand enforced, including those for obtaining           had been developed. Although the necessary\nappropriate security clearances for personnel         paperwork to initiate security clearances for\nin sensitive or critical ADP positions and for         14 Center employees had been prepared,\ninforming the security staff, in writing,             security clearance paperwork had not been\nwhenever employees who are system users               initiated for employees who were not\nterminate their employment or are                     assigned to the Center and performed ADP\ntransferred.                                          sensitive and critical functions. Also,\n                                                      Bureau management was to provide the\n                                                      security staff with monthly reports that\n                                                      identified Bureau personnel who had\n                                                      terminated their employment or who were\n                                                      transferred; however, the reports had not\n                                                      been provided to the security staff.\n\nC.1. Develop and implement policies to                Not implemented. No new or revised\nclassify the Bureau\xe2\x80\x99s computer resources in           policies had been developed. Additionally,\naccordance with the results of periodic risk          Bureau management had not taken\nassessments and guidance contained in                 corrective actions, such as reorganizing the\nOffice of Management and Budget Circular              Office of Information Resources\nA- 130, Appendix III.                                 Management and transferring data\n                                                      processing functions.\n\nD. 1. Sufficient staff are provided to                Not implemented. Corrective actions were\nadequately monitor all visitor activities.            dependent upon transferring data processing\n                                                      functions to the Geological Survey, which\n                                                      had not occurred. However, the Center had\n                                                      installed server computers and network\n                                                      communications equipment that also\n                                                      required safeguarding.\n\nD.2. Funding is provided for adequate                 Not implemented. Corrective actions were\nmaintenance of the computer operating                 dependent upon data processing functions\nroom, such as providing daily housekeeping            being transferred to the Geological Survey,\nservices, or that fire-producing equipment            which had not occurred. However, the\nand supplies are removed from the computer            Center had installed server computers and\nroom.                                                 telecommunications equipment in the\n                                                      computer operations room, which also\n                                                      needed to be protected from dust and fire\n                                                      hazards.\n\n\n                                                 15\n\x0c                                                                                     APPENDIX 1\n                                                                                       Page 3 of 4\n\n\n\n\nE. 1. Ensure that policies are developed and           Not implemented. No new or revised\nimplemented which match personnel files                policies had been developed. Additionally,\nwith system users periodically, that user IDS          Bureau management was to provide the\nare deleted from the system for users whose            security staff with monthly reports\nemployment had been terminated, and that               identifying Bureau personnel who had\nverification and approval are obtained from            terminated their employment or who were\nuser supervisors and application owners or             transferred; however, the reports had not\nmanagers that the levels of access are                 been provided to the security staff.\nappropriate.                                           Additionally, Bureau management\xe2\x80\x99s\n                                                       corrective action was dependent upon\n                                                       transferring data processing functions to the\n                                                       Geological Survey.          However, data\n                                                       processing functions were not transferred,\n                                                       and the agreement between the Bureau and\n                                                       the Geological Survey did not contain\n                                                       provisions for the Geological Survey to\n                                                       ensure that users\xe2\x80\x99 levels of access were\n                                                       properly authorized and were appropriate for\n                                                       the users to perform their day-to-day duties\n                                                       or that the access would be validated\n                                                       periodically.\n\nF. 1. Ensure that a higher priority is given to        Resolved. The recommendation is no\nmoving the applications that reside on the             longer applicable.\nUnisys mainframe to the IBM mainframe.\n\nG. 1. Ensure that policies and procedures are          Not implemented. No new or revised\ndeveloped and implemented which clearly                policies had been developed.\nidentify the individuals responsible and\naccountable for application development\nand changes.\n\n\n\n\n                                                  16\n\x0c                                                                                    APPENDIX 1\n                                                                                      Page 4 of 4\n\n\n\n\nH.1. Ensure that staffing at the Center is            Not implemented. Corrective actions were\nevaluated and adjusted so that duties for             dependent upon data processing functions\ncritical system support functions are                 being transferred to the Geological Survey.\nadequately segregated and fully utilized.             However, for at least fiscal year 1998, the\n                                                      Bureau will continue to operate and control\n                                                      the IBM operating system and security\n                                                      software after the transfer to the Geological\n                                                      Survey. Additionally, the Bureau will be\n                                                      operating and controlling a Unisys server\n                                                      computer and maintaining the applications\n                                                      that will reside on the Unisys computer.\n\nI. 1. Ensure that access and activities of the        Not implemented. Corrective actions were\nCenter\xe2\x80\x99s system programmer are controlled             dependent upon data processing functions\nand monitored by security staff and that              being transferred to the Geological Survey.\nRACF controls are established to protect              However, for at least fiscal year 1998, the\nsystem resources.                                     Bureau will continue to operate and control\n                                                      the IBM operating system and security\n                                                      software.\n\nJ.1. Ensure that a contingency plan is                Partially implemented.            Although a\ndeveloped and tested and that funding is              contingency plan had not been developed,\nprovided for acquiring a secure off-site              the Bureau had contracted for a backup site\nstorage facility.                                     for the Unisys mainframe computer in the\n                                                      event of a disaster and had tested the\n                                                      functionality of the backup site.\n                                                      Additionally, the Geological Survey had\n                                                      agreed to include the Bureau\xe2\x80\x99s operating\n                                                      system and security and application software\n                                                      as part of the Geological Survey\xe2\x80\x99s\n                                                      contingency plan.           However, Bureau\n                                                      management had not acquired a secure off-\n                                                      site storage facility for the data and files.\n\n\n\n\n                                                 17\n\x0c                                                                                           APP\xe2\x80\x99ENULX     Z\n                                                                                           Page 1 of 9\n\n\n\n\n                 United States Department of the Interior\n                                    OFFICE OF THE SECRET.X\xe2\x80\x99t\n                                           M\xe2\x80\x99ashington. D.C. 20240\n\n\n\n\nMemorandum\n\nTo:            Assistant Inspector General for Audits\n\nFrom:          Assistant Secretary - Indian AfTairs\n                                       ,\nSubject:       Drafi Audit Report on Followup                         ,,@ver Automated Information\n               Systems, Operations Service Cen                           mairs (A-IN-BIA-00 1-97)\n\nThe subject audit report addresses the Bureau of Indian .mairs (Bureau) implementation of the\nrecommendations made by the Office of Inspector General in its April 1997 audit report entitled\n\xe2\x80\x9cGeneral Controls Over Automated Information Systems_ Operations Service Center, Bureau of\nIndian mairs\xe2\x80\x9d (Report No. 97-I-771). The followup audit found that the Bureau had partially\nimplemented 2 of the 13 recommendations made in the April 1997 report and had not implemented\n10 recommendations and that 1 recommendation was no longer applicable. The audit concluded that\nthe general control risks identified by the prior audit for fiscal year 1996 continued to exist during\nfiscal year 1997. The subject audit report includes eight new recommendations.\n\nThe Bureau generally agrees with the findings of the followup audit. As noted in our response to the\nApril 1997 audit, the Office of Information Resources Management was to undergo a reorganization\nand redescription of positions because of the transfer of mainframe data processing from the Bureau\nto the U.S. Geological Survey. Although the reorganization/ redescription began in fiscal year 1997,\nthe resignation of the Director and the transfer and subsequent retirement of the Deputy Director\nlimited its effectiveness. The reorganization is well underway, and the Acting Director, Office of\ninformation Resources Management is on-site in Albuquerque, New Mexico. As discussed below,\nthe Service Center has taken actions to implement many of the recommendations and to improve its\ncontrols. Finally, the Bureau appreciates the changes made to the draft report from our discussions\non the preliminary draft report.\n\nAs requested, we have provided a revised corrective action plan for the unimplemented\nrecommendations.     To avoid repeating corrective actions, we have included the new\nrecommendations with the unimplemented recommendations from the prior audit.\n\nFollowup Audit Recommendation 1. We recommend that the Assistant Secretary - Indian AfFairs\nensure that the Bureau of Indian Affairs establishes as a high priority the use of the Geological\nSurvey\xe2\x80\x99s host computer\xe2\x80\x99s operating, security, and automated job scheduling functions.\n\n\n\n\n                                                       18\n\x0c                                                                                               nrrLlYUl_A   L\n\n                                                                                               Page 2 of 9\n\n\n\n\nBureau Response. The Bureau concurs. The Service Center will complete the transfer of all IBM\nmainframe operations, system software support, and security administration functions to the U.S.\nGeological Survey Data Center in Reston, Virginia. by May 3 1, 1998. We consider this\nrecommendation implemented.\n\nFollowup Audit Recommendation 2. We recommend that the Assistant Secretary - Indian Affairs\nensure that the Bureau of Indian AflFairs develops and approves an Office of Information Resources\nManagement strategic plan which provides direction to and defines the functions of the Operations\nService Center.\n\nBureau Response. The Bureau concurs. A comprehensive strategic plan for the Office of\nInformation Resources Management is being developed and finalized under contract with MitreTek.\nThe strategic plan will be completed by September 30, 1998. The responsible official is the Director,\nOffrce of Information Resources Management.\n\nPrior Audit Recommendation A.1. The information technology security function be elevated\norganizationally to at least report directly to the Director, Office of Information Resources\nManagement; is formally provided with authority to implement and enforce a Bureauwide system\nsecurity program; and is provided staff to perform the required duties, such as providing computer\nsecurity awareness training and performing periodic risk assessments.\n\nFollowup Audit Recommendation 3. We recommend that the Assistant Secretary - Indian AfI\xe2\x80\x99airs\nensure that the Bureau of Indian Affairs holds the IT Security Manager accountable for performing\nthe position responsibilities.\n\nBureau Response. The Bureau concurs. The information Technology Security Manager\xe2\x80\x99s position\nhas reported to the Office Director since October 1997. (See Attachment 1.) The position has\nBureauwide authority for the information technology security program. As noted in our response to\nthe prior report, we believe that sufficient staff will be available to manage the security requirements\nonce we transfer the remaining processing functions for the IBM computer to the Geological Survey.\nAs with all employees, Bureau management will hold the Security Manager accountable through the\nperformance appraisal process. The reorganization will be completed by September 30, 1998. The\nresponsible official is the Director, Office of Information Resources Management.\n\nPrior Audit Recommendation A.2. A system security program is developed and documented which\nincludes the information required by the Computer Security Act of 1987 and Ofice of Management\nand Budget Circular A-130, Appendix III, and that policies and procedures are implemented to keep\nthe system security program current.\n\nFollowup Audit Recommendation 4. We recommend that the Assistant Secretary - Indian AEairs\nensure that the Bureau of Indian AfTairs performs periodically an evaluation of the system security\nprogram\xe2\x80\x99s effectiveness and includes any resultant corrective actions in future Bureau security plans.\n\nBureau Response. The Bureau concurs. The Bureau has entered into an agreement with\nWashington Administrative Service Center- West to develop a comprehensive computer security plan\n\n\n\n                                                      19\n\x0c                                                                                              APPENDIX 2\n                                                                                              Page 3 of 9\n\n\n\nthat will address computer security policies, operating procedures, responsibilities, contingency\nplanning and risk analysis. (See Attachment 2.) The plan will be developed in accordance with the\nstandards and guidance published in the Office of Management and Budget Circular A-130; the\nNational Institute of Standards and Technology\xe2\x80\x99s Federal Information Processing Standards\nPublications dealing with automated information system security; and the Office of Personnel\nManagement\xe2\x80\x99s Federal Personnel Manual issuances on personal security as they relate to automated\ninformation systems. The plan\xe2\x80\x99s operating procedures and the management control reviews required\nby the Department\xe2\x80\x99s Ofice of Information Management will ensure that the plan be periodically\nreviewed and updated. The plan will be developed by July 3 1, 1998. The responsible official is the\nInformation Technology Security Manager.\n\nPrior Audit Recommendation A.3. The Bureau\xe2\x80\x99s security personnel perform risk assessments of\nthe Bureau\xe2\x80\x99s automated information systems environment and, as appropriate, provide assurance that\nthe necessary changes are implemented to manage the risks identified.\n\nPrior Audit Recommendation C.l. Develop and implement policies to classify the Bureau\xe2\x80\x99s\ncomputer resources in accordance with the results of periodic risk assessments and guidance\ncontained in Office of Management and Budget Circular A- 130, Appendix III.\n\nFollowup Audit Recommendation 5. We recommend that the Assistant Secretary - Indian Afl?airs\nensure that the Bureau of Indian Affairs redetermines, based on the Office of Information Resources\nManagement\xe2\x80\x99s strategic plan when the Bureau can begin performing risk assessments and classifying\nits resources. Also, personnel who will be responsible for risk assessments resource classifications\nshould be identified.\n\nBureau Response. The Bureau concurs. Risk assessments and classifications of the Bureau\xe2\x80\x99s\nautomated information systems environment will be performed beginning in fiscal year 1999 in\naccordance with the Bureau\xe2\x80\x99s security program plan. The Information Technology Security\nManagement staff will provide oversight of this effort. Risk assessments and classifications will be\ndone by teams consisting of personnel from the Bureau\xe2\x80\x99s Office of Information Resources\nManagement and the program offices.\n\nPrior Audit Recommendation B.1. Ensure that personnel security policies and procedures are\ndeveloped, implemented, and enforced, including those for obtaining appropriate security clearances\nfor personnel in sensitive or critical ADP positions and for informing the security staff, in writing,\nwhenever employees who are system users terminate their employment or are transferred.\n\nPrior Audit Recommendation E.l. Ensure that policies are developed and implemented which\nmatch personnel files with system users periodically, that user ID(s) are deleted from the system for\nusers whose employment has been terminated, and that verification and approval are obtained from\nuser supervisors and application owners or managers that the levels of access are appropriate.\n\nFollowup Audit Recommendation 6. We recommend that the Assistant Secretary - Indian Afl?airs\nensure that the Bureau of Indian Affairs obtains security clearances for ADP personnel who are not\nassigned to the Center that are commensurate with their positions.\n\n\n\n                                                    20\n\x0c                                                                                             APPENDIX 2\n                                                                                             Page 4 of 9\n\n\nFollowup Audit Recommendation 7. We recommend that the Assistant Secretary - Indian mairs\nensure that the Bureau of Indian tiairs requires Bureau staff to review and validate the\nappropriateness of users\xe2\x80\x99 levels of access to the Bureau\xe2\x80\x99s IBM applications. If the users\xe2\x80\x99 levels of\naccess are not reviewed and validated by Bureau personnel, the Bureau should modify its agreement\nwith the Geological Survey to include the requirements that access reviews and verifications be\nperformed for the IBM applications by the Geological Survey.                 3\n\nBureau Response. The Bureau concurs. In February 1998, the Bureau reorganized its position\nsensitivity and security program. As part of this effort, the Central Ofice is reviewing all sensitive\npositions, including information technology positions, to determine whether the positions are\nclassified consistently. Once the position descriptions are reviewed, the personnel system will be\nupdated and a listing generated that ,will identity individuals needing initial and upgraded\ninvestigations or reinvestigations. While we will complete this initial effort by September 30, 1998,\nthe scheduling of the investigations will be dependent on available area office funding. The Bureau\xe2\x80\x99s\nSecurity Officer, however, will monitor the area offices to ensure that the investigations are\ncompleted.      In addition, the Information Technology Security Manager will ensure that the\nemployee termination report is received and reconciled with system users. The report will also be\nprovided to the Geological Survey for its use in managing Bureau system user profiles.\n\nPrior Audit Recommendation D.l. Sufficient staff are provided to adequately monitor all visitor\nactivities.\n\nPrior Audit Recommendation D.2. Funding is provided for adequate maintenance of the computer\noperating room, such as providing daily housekeeping services, or that fire-producing equipment and\nsupplies are removed from the computer room.\n\nFollowup Audit Recommendation 8. We recommend that the Assistant Secretary - Indian mairs\nensure that the Bureau of Indian Af??airs removes all safety hazards from the computer room.\n\nBureau Response. The Bureau concurs in part. We believe that we have implemented these\nrecommendations to the extent possible given our available resources. Monitoring of visitor activities\nis handled by the organizational element receiving the visitor(s). All non-Service Center personnel\nmust register with the information Technology Security Manager. A minimum number of access keys\nhave been provided to custodial, building security, and GSA building managers based upon their need\nto enter the facility. In addition, the Service Center has funded full time housekeeping and\nmaintenance service for the computer room and ancillary facilities beginning in fiscal year 1998.\nFinally, the Service Center has corrected the safety deficiencies identified by the Division of Safety\nManagement in its annual safety and health evaluation for fiscal year 1997.\n\nPrior Audit Recommendation G.1. Ensure that policies and procedures are developed and\nimplemented which clearly identify the individuals responsible and accountable for application\ndevelopment and changes.\n\nBureau Response. The Bureau concurs. The Bureau recruited and filled the Chief, Applications\nSupport Branch, position in November 1997. The Branch is developing and implementing standards,\n\n\n\n                                                    21\n\x0c                                                                                             APPENDIX 2\n                                                                                             Page 5 of 9\n\n\n\nprocedures, and policies to ensure full accountability for all application system change management\nand production implementation of the Office\xe2\x80\x99s applications. This guidance, when finalized, will be\ndistributed to all Bureau offices which develop and/or maintain application systems. The responsible\nofficial is the Chief, Applications Support Branch.\n\nPrior Audit Recommendation H.l. Ensure that staffing at the Center is evaluated and adjusted so\nthat duties for critical system support functions are adequately segregated and fully utilized.\n\nPrior Audit Recommendation 1.1. Ensure that access and activities of the Center\xe2\x80\x99s system\nprogramers are controlled and monitored by security staff and that Resource Access Control Facility\n(RACF) controls are established to protect system resources.\n\nBureau Response. The Bureau concurs. This has been accomplished for the applications residing\non the IBM computer with the transfer of the remaining application operations system software\nsupport, and security functions to the Geological Survey. The operating system and security features\nof the new Unisys NX Server provide much improved safeguards for the data and applications\nresiding on this platform. Although RACF controls are not compatible with the Unisys NX Server,\nthe Bureau will establish similar controls. Finally, separation of duties, to the extent possible, was\nconsidered during the reorganization/redescription of positions for the Service Center. We consider\nthese recommendations implemented.\n\nPrior Audit Recommendation J.1. Ensure that a contingency plan is developed and tested and that\nfunding is provided for acquiring a secure off-site storage facility.\n\nBureau Response. The Bureau concurs. As stated in the draft audit report, the Bureau has a\ndisaster recovery contract that has been fully tested and certified for the Unisys hosted applications.\nIn addition, the Bureau has obtained off-site storage for its backup media at the Southwestern Indian\nPolytechnic Institute which is approximately 8 miles from the Service Center. We consider this\nrecommendation implemented.\n\n\n\nAttachments\n\n\n\n\n                                                    22\n\x0c                                                                          \xe2\x80\x98IL   L   Y&.uI*L   -\n\n\n\n                                                                          Page 6 of 9\n                                                                          Attachment #l\n\n\n\n                          United States Department of the Interior\n                                      BUREAU OF INDIAN AFFAIRS\n                                       Information Resources Management\n                                           Operations Service Center\n                                            500 Gold Avenue, S.W.\n\n                                                 P-0. Box 888\n                                        Albuquerque, New Mexico 87103\n\n\n\nOffice of Information Resources Management\nOperations Senke Center\nMS4514                                           m-       3 1998\n\n      MEMORANDUM\n\n\n      REPLY TO\n      AITN OF: Acting Director, Office of fnformation Resources Management\n\n         SUBJECT: Bureau AIS Security Officer Status.              \xe2\x80\x99\n\n             T-0:.   Acting Director, Management and Administration\n\n      In accordance with the recommendation of the Department Inspector General, Position\n      Number KOO283-01223, GS-0334~13, Computer Specialist within our Operations Service\n      Center, has reported directly to the undersigned since October 26, l-997.\n\n     This position is encumbered by Jerry K. Bel\n     Automated Information Systems (AIS) Secun\n\n\n\n\n      CC:\n      Personnel office, Albuquerque Area Office\n      Jerry Fiely, Deputy Director - Audit & Evaluation\n\n\n\n\n                                                           23\n\x0c                                                                                .I1   --w..LYI..I   I   h\n\n\n\n\n                                                                                APPENDIX 2\n                                                                                Page 7 of 9\n\n\n\n                                                               WASC- West Project Scope Statement\n                                                                                             &t&r& I998\n                                                                                 RevisedMarch IO, I998\n\n\n\nProject Number 98-053\n\nProject Titie\nDevelopment of Security Plan\n\nClient\nBIA\n\nProgram Manager\nTony Manzi, WASC-West\n\nProject Leader\nEllen Erikson\n\nProject Team\nwA!Sc:       5m Opeka\nUSGS:           Blanche Heard\nBLA:            Jerry Belew; Lorraine Jaramillo; Wesley Anderson\n\nProject Description\n\n         Problem Statement\n         The Bureau of Indian Affairs @A) has identified the need to develop a comprehensive\n         computer security plan. The plan will address computer security policies, operating\n         procedures, responsibilities, contingency planning, and risk analysis. The plan should be\n         developed in accordance with the standards and guidance published in the Office of\n         Management and Budget (OMB) Circular No. A-130; the National Institute of Standards\n         and Technology\xe2\x80\x99s Federal Information Processing Standards Publications (FIPS PUBS)\n         dealing with automated information system security; and the Office of Personnel\n         Management\xe2\x80\x99s Federal Personnel Manual issuances on personal security as they relate to\n         automated information systems.\n\n         Background\n         BIA recently transferred its mainframe computer applications from Albuquerque, NM to\n         the U.S. Geological Survey (USGS) mainf?ame computer in Reston, VA The\n         applications are currently operating in a separate partition of the USGS mainfkame. BIA\n         is responsible for administering security for these applications. There are still a number of\n         BIA applications running on hardware located in Albuquerque, NM. BIA staffis also\n         responsible for security at the Albuquerque installation.\n\n         In addition, the Office of the Inspector General issued a draft audit report (A-IN-BIA-\n\n                                                  24\n\x0c                                                                                         APPENDIX 2\n                                                                                         Page 8 of 9\n\n\n\n\n                                                            W&C- Wesi Project Scope LWztement\n                                                                                 M-& 1998\n                                                                             Revived March IO,1998\n\n\n\n      001-97) in February 1998, that identifies a number of issues and recommendations relative\n      to computer security.\n\n      The proposed security plan needs to address security policies, standards, and procedures\n      that are applicable to the current operating environment, consistent with applicable USGS\n      policies and procedures, and responsive to the recommendations in the draft audit report.\n\n      Project Objectives\n      The objective of this project is to develop a comprehensive computer security program\n      that:\n\n      0      complies with applicable Federal regulations and guidelines,\n      0      provides an appropriate response to the OIG draft audit report, and\n      0      ensures that BIA hardware, software, and application data is secure.\n\n      The computer security program will address the following:\n      0     security policies, standards, and operating procedures,\n      0     administrative, physical, application., and personal security,\n      0     individual and organizational security responsibilities,\n      0     contingency and disaster recovery planning,\n      0     risk analysis policies and procedures.\n\n      Target Deliverable Dates\n      March 20,1998                  Proposed Project Scope Statement delivered to BIA\n      April 3,1998                   Proposed Project Scope Statement approved by BIA\n      April lo,1998                  Detailed project plan delivered to BIA\n      May 29,1998                    Draft security plan delivered to BIA\n      June 19,1998                   Draft security plan approved by BIA\n      July 3,1998                    Fii security plan delivered to BIA\n      July 10, 1998                  Proposal for implementing security plan delivered to BIA (if\n                                     requested)\n\nProject Methodology\n\n      General Approach\n      A project team will be established that includes representation from BLA, the WASC, and\n      USGS. The team will review appropriate Federal guidelines and regulations, interview\n      applicable computer personnel, inventory BIA applications residing in Reston and\n      Albuquerque, review applicable USGS computer security plans, and review the OIG draft\n      report findings and recommendations. The project leader will provide periodic project\n      status updates to the WASC-West program manager who in turn will provide updates to\n\n                                                25\n\x0c                                                                                APPENDIX 2\n                                                                                Page 9 of 9\n\n\n\n\n                                                   WASC West Project Scope Statement\n                                                                         M-arch 1998\n                                                                     Revised March IO, 1998\n\n\n\nBIA management. Policy and procedures issues will be brought to BIA management for\nresolution as required.\n\nAssumptions\nBIA applications currently operating in a separate partition of the USGS mainframe\ncomputer will eventually migrate to the general production area of the mainframe and\nRACF security for BIA will be integrated into the regular production RACF security\ndatabase.\n\nMainframe computer security administration will eventually be the responsibility of USGS\npersonnel.\n\nAt least one member of the project team will be familiar with the BIA Unisys system\napplications and access controls.\n\n\n\n\n                                        26\n\x0c                                                                        APPENDIX 3\n\n\n\n\n STATUS OF CURRENT AUDIT REPORT RECOMMENDATIONS\n\nFinding/Recommendation\n        Reference                 status                    Action Required\n\n\n        land8            Implemented.             No further action is required.\n\n    2,3,4, 5, and 6      Resolved; not            No further response to the Office\n                         implemented.             of Inspector General is required.\n                                                  The recommendations will be\n                                                  referred to the Assistant Secretary\n                                                  for Policy, Management and\n                                                  Budget for tracking of\n                                                  implementation.\n\n           7             Management concurs;      Provide target dates for when (1)\n                         additional information   the IT Security Manager will begin\n                         needed.                  receiving the employee termination\n                                                  reports and (2) the supervisors and\n                                                  application owners will begin\n                                                  approving levels of access.\n                                                  Additionally, a copy of the\n                                                  modified agreement with the\n                                                  Geological Survey requiring access\n                                                  reviews and verifications should be\n                                                  provided to the Office of Inspector\n                                                  General.\n\n\n\n\n                                           27\n\x0c                                                                      APPENDIX 4\n\n\n\n   STATUS OF PRIOR AUDIT REPORT RECOMMENDATIONS\n\n\nFinding/Recommendation\n       Reference                     status                 Action Required\n\n\n  A.1, D.l,I.l, and J.1   Implemented                 No further action required.\n\n A.2,A.3,B.l,C.l,D.l,     Resolved, not implemented   No further response to the\n   E.1, G.1, and H.1                                  Office of Inspector General is\n                                                      required. \xe2\x80\x98The\n                                                      recommendations will be\n                                                      referred to the Assistant\n                                                      Secretary for Policy,\n                                                      Management and Budget for\n                                                      tracking of implementation.\n\n\n\n\n                                        28\n\x0cI\n\n\n                    ILLEGAL OR WASTEFUL ACTMTIES\n                        SHOULD BE REPORTED TO\n                  THE OFFICE OF INSPECTOR GENERAL BY:\n\n    Sending written documents to:                                  Calling:\n\n\n                          Within the Continental United States\n\n    U. S . Department of the Interior                     Our 24-hour\n    Office of Inspector General                           Telephone HOTLINE\n    1849 C Street, N.W.                                   l-800-424-508 1 or\n    Mail Stop 5341                                        (202) 208-5300\n    Washington, D . C . 20240\n\n\n                                                          TDD for hearing impaired\n                                                          (202) 208-2420 or\n                                                          l-800-354-0996\n\n\n                          Outside the Continental United States\n\n                                         Caribbean Region\n\n    U.S. Department of the Interior                       (703) 235-9221\n    Office of Inspector General\n    Eastern Division - Investigations\n    4040 Fairfax Drive\n    Suite 303\n    Arlington, Virginia 22201\n\n                                        North Pacific RePion\n\n    U .S . Department of the Interior                     (67 1) 647-605 1\n    Office of Inspector General\n    North Pacific Region\n    415 Chalan San Antonio\n    Baltej Pavilion, Suite 306\n    Tamuning, Guam 96911\n\x0cToll Free Numbers:\n l-800-424-5081\n TDD l-800-354-0996\n\nFT\xe2\x80\x99S/Comercial Numbers:\n (202) 208-5300\n TDD (202) 208-2420\n\n HOTLINE\n1849 C Street, N.W.\nMail stop 5341\nWashington, D.C. 20240\n\x0c'